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THE PROBLEM 


In today’s world, it is essential for an authorization concept to be dynamic and adaptable, so that 
standards of a company can be supported or protected in the best possible way. Thus, it is not unlikely 
that several SAP roles need to be modified through profile generator by a process change or a new 
process altogether. These changes can take a variety of forms. Be it modifications to an organizational 
level, adjusting authorization field values of a certain authorization object, or adding or removing a 
transaction from the role menu. Depending on the number of roles to be adjusted, such a task can take a 
few hours, if not days with updates through transaction PFCG. In order to make such changes more time- 
efficient, a mass role processing tool has been developed by SAP, the functionalities of which | would like 
to explain to you below. 


THE SOLUTION 


The t-code that this blog is covering is the PFCGMASSVAL. This can be imported into your SAP system 
by SAP Note «2177996 — PFCGMASSVAL: Mass maintenance of authorization values in roles» (usually 
by your SAP Basis Team). 


With this transaction, SAP offers you the ability to make PFCG mass changes with the following options: 


Change organizational levels 

Adjust field values of authorizations for an object 

Adjust field values of authorizations for a field (Cross-Object) 
Add/delete manual authorization for an object 

Add F4 as default value without changing to status “changed” 


Mass Maintenance of Authorization Values 
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Figure 1: Overview of transaction PFCGMASSVAL 


FUNCTIONALITY 
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In order to be able to explain the individual functionalities of the transaction, | would like to run through a 
practical example from the everyday life of authorization administration, specifically, role maintenance. 


The purchasing department has asked you to adjust all single roles and derived roles mapped to users in 
the production system that have an overall authorization “*” for document types of purchase orders 
replacing it with the value “NB” for a normal purchase order. 


In addition, the company has grown. A new location in Germany was identified. This has been entered 
into the SAP system under plant “9999” and is to be added in all roles that include authorizations for 
Germany. 


It must be determined in advance which ABAP roles are to be updated. This can be done via the direct 
selection of roles, a masked entry, or via a “Roles with Authorization Data” search, in which you can 
identify roles to be modified according to your requirements. 


Standard Selection 


p m ae 
P IMODE’ 3 | ci J Roles with Authorization Data 


Figure 2: Overview Selection 


The following processing modes are also available in the selection form: 


e Simulation 
e Execute with prior simulation 
e Direct execution 


TIP: It is always recommended to use “Execute with prior simulation”, as you still have the option of 
checking the previous summary of the changes. 


In the next step, the changes to be made must be defined. Since the selection parameters will need 
updated depending on the type of field change, each change variant is explained individually below. 


CHANGE ORGANIZATIONAL LEVELS 


Use this option to adjust the values of the organizational levels contained in the roles. The following 
modification options are available: 


Add a value 

Replace a value 
Replace all field values 
Delete a value 


In the organizational level field, the field to be edited must be selected. This can also be selected by the 
F4 input help. 


Last but not least, the new values must be defined by which the roles are to be extended. This is done via 
the respective button and the entry of the desired values. For our example, the master data value “9999” 
must therefore be entered with the action “Add”. 
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Figure 3: Changing the Organizational Level Overview 


CHANGE FIELD VALUES OF AUTHORIZATIONS FOR 
AN OBJECT 


Change Organizational Levels 


With the help of this action, it is possible to change values of a field to a specific object. In our example, 
the object M_BEST_BSA. Similar to changing an organizational level, the following actions are available: 


Add a value 

Replace a value 
Replace all field values 
Delete a value 


To replace the value “*” with the requested value “NB”, the selection must look like this. 


Change Field Values of Authorizations for an Object 
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Figure 4: Overview Changing Authorization to Object 


CHANGE FIELD VALUES OF AUTHORIZATIONS FORA 
FIELD (CROSS-OBJECT) 


Similar to the action of changing field values of an individual object, it is also possible to adjust field 
values across objects using transaction PFCGMASSVAL. This can be advantageous, for example, if you 
want to create a display role and only want the field values for the display activities for field ACTVT. 
Another advantage here is the further setting options of the transaction, which additionally appear in the 
mask when changes to field values are selected: 
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Figure 5: Advanced Settings for Field Value Changes 


You can use these settings to determine which authorization instances are to be changed, taking into 
account the activity field value and maintenance status of the authorization object itself. You will also be 
offered the option to prevent the authorization object from switching to the “Modified” status. This is 
advisable if you maintain your roles in the SU24 authorization checks context of SAP and do not want to 
lose the where-used list for field values per transactions. 


ADD/DELETE MANUAL AUTHORIZATIONS FOR AN 
OBJECT 


As in the maintaining of authorization objects in the SU24 context, it is possible to add or remove manual 
authorization instances via PFCGMASSVAL. This can be helpful in situations if you need to maintain a 
value role concept for certain authorization objects and need to expand or reduce the scope of the roles. 
As usual, the affected object must be selected, including the values. 


Add Manual Authorization for an Object 
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Figure 6: Adding/Deleting a Manual Authorization 


REVIEW THE CHANGES AND GENERATE THE 
PROFILE 
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As soon as your selection of changes is completed, the simulation can be executed. Depending on the 
previous selection, you can check the changes, select the roles to be adjusted, and have the system 
make the changes. 
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Figure 7: Review and execution of changes 


Due to the change to the authorization profiles, the last step is to regenerate the profile of each role. You 
can also initiate this via the PFCGMASSVAL, which completes the updates to the roles. 
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Figure 8: Generating the modified profiles 


CONCLUSION ON SAP TRANSACTION 
PFCGMASSVAL 


In summary, the use of PFCGMASSVAL can save a significant amount of time utilizing mass 
maintenance functionality. Within a very short period of time, certain authorization values can be updated 
in a large number of roles making it less time consuming for you to maintain roles. 


As you have probably noticed, the PFCGMASSVAL, unfortunately, does not offer the ability to extend the 
role menu in bulk by a transaction code or to inactivate authorization object instances of the roles in 
mass. 


XAMS can actively support you with the Role Designer and Role Replicator modules. 


Do you need support in the area of SAP Security? Then Xiting is at your side as a 360-degree solution 
provider. In addition to SAP Authorization Management (Auth Management), we also cover the areas of 
SAP Fiori, SAP S/4AHANA, SAP HANA Security, GRC, and many more. We also offer ongoing webinars 
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on various SAP security and special topics to ensure your long-term compliance. We also offer some 
customizing options to respond individually to customer challenges. 
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